Read my writeup to Paper machine
TL;DR
User: By observing the HTTP response we found office.paper
domain on X-Backend-Server
header, Found it’s run behind WordPress version 5.2.3
and by using WordPress Core < 5.2.3 - Viewing Unauthenticated/Password/Private Posts
exploit we found URL for rocket chat, Inside the chat we found a chatbot, Using list
directory command we found scripts
directory, Using that we found run
command which allows us to run commands, Using that we get a reverse shell as dwight
user.
Root: By enumerating we found Polkit running, Using CVE-2021-3560
we get a root shell.